The DanaBleed critical vulnerability in the malicious C2 protocol DanaBot, which has been active since 2022, allowed researchers to expose 16 cybercriminals, collect sensitive information, and eliminate the infrastructure of one of the most dangerous MaaS services in recent years.
According to a new report from Zscaler ThreatLabz, the DanaBot banking Trojan, active since 2018, became fatally vulnerable after the C2 protocol update in June 2022 (version 2380). Due to a logical error in the generation of padding bytes, servers left data from RAM in responses, which over time accumulated in responses to bots.
These remnants — like HeartBleed, but in malware — allowed researchers to detect:
* IP addresses and usernames of operators;
* private cryptographic keys;
* victim logins and extracted credentials;
* SQL queries, C2 web snippets, changelogs;
* a complete map of backend infrastructure and domains.
This data became the basis for a large-scale international operation Endgame, which destroyed 650 domains, seized ~$4 million in cryptocurrency, and 16 members of the group were officially charged.
DanaBot belongs to the Malware-as-a-Service class – it was used by various groups to steal banking data, passwords, DDoS attacks, and take full control of infected devices. Although the main team (probably from Russia) has not yet been arrested, the reputational blow after the DanaBleed bug was exposed will make it extremely difficult to return to the “market”. The evidence collected over three years shows how critical even a small software defect in the malicious architecture can be. The researchers worked silently, gradually accumulating data to successfully eliminate the entire infrastructure.
DanaBleed became a killer argument against cybercriminals’ complete confidence in their anonymity. This case is a reminder that even the most sophisticated botnets can fall victim to their own bugs. The elimination of DanaBot is not only a technical victory, but also a powerful signal to the white hat community about the effectiveness of passive observation, analytics, and targeted evidence collection.
